Many modern organizations employ security applications to deal with security issues on an organizational and technical level. For example, security applications may be employed to supervise, among other things, the organization's network and network devices to monitor for, investigate, and defend against potential threats. For example, a security application may be tasked with monitoring network devices and then alerting network administrators each time that a network device is threatened, such as by a virus or by malware.
Unfortunately, however, the task of monitoring a network for every potential threat can be very difficult in modern network environments. This difficulty may arise due to the relatively high number of network devices on modern networks and the relatively high number of potentially threatening circumstances that may arise on any given day on the network devices. Further, when a security application identifies a potential threat to a network device and then makes a security decision to mitigate the potential threat, it can be difficult to explain to a user of the network device why the security application made the security decision that it made due to the highly complex nature of the process employed by the security applications in making decisions. When a user is not given a satisfactory explanation why a particular security decision for a network device was made by a security application, the user may become skeptical that the security application is making sound security decisions, and may decide to circumvent the security application, thereby opening up the network device and the corresponding network to additional threats.
For example, when a security application identifies a website as a potentially virus-infected website and makes a security decision to block the website from being visited on a network device, it may be difficult for the security application to adequately explain to the user of the network device why the website was blocked. If the user is not given a satisfactory explanation why the security application blocked the website, the user may become skeptical of the security application and decide to disable the security application in order to visit the blocked website, thereby opening up the network device to the potentially virus-infected website.
The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one example technology area where some embodiments described herein may be practiced.